This topic is to discuss the following lesson:
Good work. I have a question.
I am using Packet Tracer 6.0.1.
I have a network with 2 routers, and 2 PC’s, one on each router. They are on three different networks. 15.x.x.x, 17.x.x.x, and 20.x.x.x. PC1 is on the 15.x.x.x network, and PC2 is on the 17.x.x.x network. They can ping each other before I put in the access-list. (I’m using RIP.)
Then I put in the access list on Router 2
access-list 5 deny 22.214.171.124 0.255.255.255 access-list 5 permit any interface FastEthernet0/1 ip access-group 5 in
When I ping PC2 from PC1 I get "Reply from 126.96.36.199: Destination host unreachable. "
Now when I ping PC1 from PC2 I get “request time out.”
When I ping PC1 from Router 2 I get no reply. "Success rate is 0 percent (0/5)
So my question is why can’t I ping to PC1? Am I missing a command?
The problem is that your ping will make it from pc2 to pc1 will make it, but the return traffic is dropped by your deny entry.
Hi Rene, I am a nornmally a windows network admin, and have been appointed to put security on our routers and swiches. I know this is a stupid question but when doing access-lists permit, Do I just put the serial address or the eithernet or both? We are running point to point and the router I am working on is remote, so I was going to put the serial address from the our core router to the remote.
I only need the remote side to see our core router so would the command be access-lists 1 permit?
With the standard access-list you can only create permit or deny statements that match source addresses. If you want a more precise statement you’ll need an extended access-list because it can match on source and destination addresses.
You mentioned “ill show you how to modify the access-list without deleting the whole thing” but I didnt find it in this lesson. Can you please explain ?
To do this you have to use the “ip access-list” command instead of the “access-list” command. Here’s an example:
R1#show access-lists Standard IP access list MY_ACL 10 permit 192.168.1.0, wildcard bits 0.0.0.255 20 permit 192.168.2.0, wildcard bits 0.0.0.255 30 permit 192.168.4.0, wildcard bits 0.0.0.255
Let’s say I want to add an entry for 192.168.3.0 in between, I can do it like this:
R1(config)#ip access-list standard MY_ACL R1(config-std-nacl)#21 permit 192.168.3.0 0.0.0.255
Here it is:
R1#show access-lists Standard IP access list MY_ACL 10 permit 192.168.1.0, wildcard bits 0.0.0.255 20 permit 192.168.2.0, wildcard bits 0.0.0.255 21 permit 192.168.3.0, wildcard bits 0.0.0.255 30 permit 192.168.4.0, wildcard bits 0.0.0.255
And you can delete statements too…let’s get rid of 10 + 20:
R1(config)#ip access-list standard MY_ACL R1(config-std-nacl)#no 10 R1(config-std-nacl)#no 20
Now it looks like this:
R1#show access-lists Standard IP access list MY_ACL 21 permit 192.168.3.0, wildcard bits 0.0.0.255 30 permit 192.168.4.0, wildcard bits 0.0.0.255
Hope this helps!
can you explain how the number that is shown in match is calculated. like the first ping you did, it shows 27 matches, how is this caclulated, did it ping it 27 times etc?
Each match that you see is a single packet that has matched, that’s it. If you see 27 matches then it means that 27 packets have matched this statement.
Need your help once again… How can an ACL with a wild card mask of 0.0.254.254 catch odd networks and even hosts?
e.g. Networks: 188.8.131.52-184.108.40.206 with 6 host in each network. The ACL will catch:
220.127.116.11(Net)/18.104.22.168,.4,.6 (Host) - 22.214.171.124(Net)/126.96.36.199,.4,.6(Host); so on so fourth… I know 254= 0000 0001, but I don’t understand how it catches only the even hosts?
You didn’t specify the network address that you used with the wildcard. Let’s assume it’s 188.8.131.52 0.0.254.254. Let’s look at some examples…
184.108.40.206 = 00010100 000001010 00000001 00000000 220.127.116.11 = 00010100 000001010 00000001 00000001 18.104.22.168 = 00010100 000001010 00000001 00000010 22.214.171.124 = 00010100 000001010 00000001 00000011 126.96.36.199 = 00010100 000001010 00000001 00000100 188.8.131.52 = 00010100 000001010 00000010 00000000 184.108.40.206 = 00010100 000001010 00000011 00000000 220.127.116.11 = 00010100 000001010 00000100 00000000 18.104.22.168 = 00010100 000001010 00000100 00000001 22.214.171.124 = 00010100 000001010 00000100 00000010
And our network and wildcard:
126.96.36.199 = 00010100 000001010 00000000 00000000 0.0.254.254 = 00000000 00000000 11111110 111111110
The first two octets have to match so we are only looking at the 20.10.x.x range. Let’s forget about those two octets.
1.0 = 00000001 00000000 1.1 = 00000001 00000001 1.2 = 00000001 00000010 1.3 = 00000001 00000011 1.4 = 00000001 00000100 2.0 = 00000010 00000000 3.0 = 00000011 00000000 4.0 = 00000100 00000000 4.1 = 00000100 00000001 4.2 = 00000100 00000010 NW = 00000000 000000000 WC = 11111110 111111110
With this network/wildcard combination, the 24th and 32th bit have to be a 0. We don’t care about the other bits, Only 188.8.131.52, 184.108.40.206 and 220.127.116.11 will match this. It matches only the EVEN networks with EVEN host addresses. If you want the odd networks, use a “deny” in your access-list instead of a “permit”.
If you want to get funky you could use another network address in combination with this wildcard. Let’s say we pick 18.104.22.168:
22.214.171.124 = 00010100 000001010 00000000 00000001 0.0.254.254 = 00000000 00000000 11111110 111111110
Let’s look at the last two octects:
1.0 = 00000001 00000000 1.1 = 00000001 00000001 1.2 = 00000001 00000010 1.3 = 00000001 00000011 1.4 = 00000001 00000100 2.0 = 00000010 00000000 3.0 = 00000011 00000000 4.0 = 00000100 00000000 4.1 = 00000100 00000001 4.2 = 00000100 00000010 NW = 00000000 000000001 WC = 11111110 111111110
Now we are saying that the 24th bit has to be a 0 and the 32th bit has to be a 1. In my example that would only be 126.96.36.199. Another match would be 188.8.131.52 or 184.108.40.206. Now you have EVEN networks with ODD host addresses.
Hope this helps, it can be mind boggling. If you are unsure, write down everything in binary and then check for the matching bits. You can verify your work with two routers, some loopback interfaces and a distribute-list for RIP/EIGRP. If you want some more explanations, take a look here:
In one on your post above, I finally understood the difference between ip access-list and only access-list command. Thanks you so much.
I have a query.
If I give a ping without the source command , why it is not taking the loop back interface as source. Will it always take the physical interface by default?
Could you please tell me if I could apply an access-list inbound and an access-list outbound for the same interface.
R(config)#access-list 1 permit 220.127.116.11 0.0.0.255 R(config)#access-list 1 deny 18.104.22.168 0.0.0.255 R(config)#access-list 1 permit any R(config-if)#ip access-group 1 in R(config-if)#ip access-group 1 out
By default, the interface that is “closest” to the destination is the one chosen. This means, that the ip address of the interface that would be used (as dictated by CEF or the routing table) is the IP selected as the source.
Yes, it is possible to apply two access lists to the same interface, as long as one is inbound and the other is outbound. Actually, if you take IPv6 into account you can have up to four access lists on an interface, one per direction per protocol.
I hope this has been helpful!
I have a query. In the below access-list 2, why pings from R1 to IP 22.214.171.124 are failing? As per statement, it should only deny traffic from 192.168.12.0, right?
R2#sh ip access-list 2 (deny traffic from n/w 192.168.12.0; permit all other n/w's) Standard IP access list 2 10 deny 192.168.12.0, wildcard bits 0.0.0.255 (90 matches) 20 permit any (30 matches)
R1#pi 126.96.36.199 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 188.8.131.52, timeout is 2 seconds: UUUUU Success rate is 0 percent (0/5)
R2#sh run int fa0/0 Building configuration... Current configuration : 119 bytes ! interface FastEthernet0/0 ip address 192.168.12.2 255.255.255.0 ip access-group 2 in duplex auto speed auto end
In your deny statement, you are denying traffic from the entire 192.168.12.0/24 subnet. R1 is probably using 192.168.12.1 as its source address.
How can I filter local generated packet in the router ?
When creating and implementing (extended) access lists, you are specifying how to filter traffic based on source and destination IPs, protocols, ports etc. In order to filter traffic that is generated locally by the router, you just have to determine the IP address from which it is being generated (an IP address of a local physical or loopback interface) and filter it accordingly by applying the access list to the appropriate interface(s).
You don’t have to do anything special for locally generated traffic, just make sure you have the appropriate IP address ranges included in your access lists.
I hope this has been helpful!